The DFARS CMMC Rule Is Now in Effect: What Defense Contractors Must Do in 2026
The Defense Federal Acquisition Regulation Supplement (DFARS) final rule embedding CMMC requirements into DoD procurement took effect on November 9, 2025. Defense contractors handling Federal Contract Information or Controlled Unclassified Information must now hold a verified CMMC status in the Supplier Performance Risk System (SPRS) to be eligible for award on applicable contracts. The three-year phased rollout is underway, and requirements are actively expanding.
What Is DFARS and Why Did This Rule Change Matter?
The Defense Federal Acquisition Regulation Supplement (DFARS) is the set of rules that governs how the Department of Defense acquires goods and services. Specifically, every DoD contract is governed by DFARS. Consequently, changes to DFARS have direct, binding implications for any contractor or subcontractor in the defense supply chain.
For years, CMMC existed as a DoD program requirement but was not formally embedded in DFARS contract clauses. Contractors knew CMMC was coming, but the contractual enforcement mechanism was still evolving. The September 2025 final rule changed that. Specifically, it codified CMMC obligations directly into DFARS, making them enforceable contract terms rather than advisory guidance.
What the September 2025 Rule Actually Did
Published in the Federal Register on September 10, 2025 (Document 2025-17359), the final rule amended DFARS to formally incorporate CMMC contractual requirements into DoD procurements. It became effective 60 days later, on November 9, 2025. Specifically, the rule established the CMMC compliance clauses that contracting officers must now include in covered solicitations and contracts.
Additionally, the rule defined a three-year phased approach to rolling out CMMC requirements across the DoD contract base. During the phase-in period, CMMC requirements appear in contracts designated by program offices. After the phase-in, requirements become standard for all contracts that handle Federal Contract Information or Controlled Unclassified Information, except for purely Commercial-Off-The-Shelf (COTS) item purchases.
How CMMC Is Now Embedded in DoD Contracting
Under the new rule, CMMC compliance is a condition of contract award for applicable solicitations. Contracting officers are required to verify that offerors hold a current, appropriate-level CMMC status in SPRS before awarding a contract. Furthermore, contractors must maintain that status throughout the life of the contract, not just at the point of award.
This is a significant shift. Previously, self-attestation and good-faith compliance efforts were the primary enforcement mechanism. However, the DFARS rule establishes a formal verification checkpoint at contract award. In other words, organizations that cannot demonstrate a current CMMC status in SPRS are no longer eligible for award on covered contracts.
Who Is Affected by the DFARS CMMC Rule?
The rule applies broadly across the defense supply chain. However, the specific requirements vary based on the type of information a contractor’s systems handle and their position in the supply chain. That said, both prime contractors and subcontractors face binding obligations if they touch covered information.
Prime Contractors
Prime contractors responding to covered DoD solicitations must hold a CMMC status in SPRS at the level required by the contract. Specifically, Level 1 applies to contractors whose systems handle only Federal Contract Information. Level 2 applies to contractors whose systems handle Controlled Unclassified Information. Level 3 applies to contractors working on the most sensitive DoD programs.
Additionally, prime contractors carry a flow-down obligation. They must ensure that subcontractors who handle FCI or CUI also hold the appropriate CMMC status. In practice, this means prime contractors must actively verify and document subcontractor compliance, not simply pass the clause through contractually.
Subcontractors
Subcontractors at any tier who handle FCI or CUI under a covered DoD contract are subject to CMMC requirements. Specifically, subcontractors must self-report in SPRS by uploading their self-assessment results and annual compliance affirmations. They must also maintain their CMMC Unique Identifiers (UIDs) and keep assessment results current throughout contract performance.
Furthermore, subcontractors must update their SPRS records whenever material changes occur in their environment or compliance posture. Failure to maintain current records is itself a compliance gap that can affect the prime contractor’s ability to demonstrate supply chain compliance.
FCI vs. CUI: Why the Distinction Determines Your Level
Federal Contract Information (FCI) is information provided by or generated for the government under a contract, excluding information provided to the public. If your systems handle FCI but not CUI, CMMC Level 1 applies. Level 1 requires only basic cyber hygiene practices and annual self-attestation.
Controlled Unclassified Information (CUI) is a broader category of sensitive government information that requires protection under law, regulation, or policy. If your systems handle CUI, CMMC Level 2 applies, which requires compliance with all 110 controls in NIST SP 800-171 and, for most contractors, a formal third-party C3PAO assessment. Specifically, unlike Level 1, Level 2 is not self-certifiable for most organizations. Additionally, the November 10, 2026 Phase 2 deadline makes the C3PAO assessment timeline a pressing operational concern.
Where the Rule Stands Right Now: June 2026
As of June 2026, the DFARS CMMC rule is active and operational. We are seven months into the three-year phase-in period. CMMC requirements are appearing in program office-designated solicitations across the DoD. Contractors bidding on covered solicitations must be prepared to demonstrate their current status in SPRS.
Specifically, two timelines are converging, creating urgency for Level 2 contractors. The DFARS phase-in is expanding the number of contracts that require CMMC compliance each month. Additionally, the CMMC program’s own Phase 2 deadline, November 10, 2026, mandates formal C3PAO third-party assessments for Level 2 contractors. That deadline is approximately five months away.
Consequently, organizations that have not yet begun a structured CMMC implementation program face compressed timelines on two fronts simultaneously. C3PAO assessment calendars are booking 6 to 12 months out. In other words, a Level 2 contractor that starts today is already working against the clock.
DFARS CMMC Phase-In Timeline
| Phase | Timeframe | What It Means for Contractors |
| Phase-in period | Nov 2025 – approx. Nov 2028 (Years 1-3) | CMMC requirements appear in select contracts designated by DoD program offices. Not all contracts require CMMC yet. |
| CMMC Phase 2 deadline | November 10, 2026 | Mandatory third-party C3PAO assessment required for Level 2 DoD contracts. Self-attestation alone is no longer sufficient. |
| Full rollout | After approx. Nov 2028 (Year 4+) | CMMC requirements standard in all contracts where systems handle FCI or CUI, except COTS-only purchases. |
| Level 1 – ongoing | Effective now | Annual self-attestation required. Final CMMC status required in SPRS for contract eligibility. |
| Level 2 – ongoing | Effective now for designated contracts | Conditional status (up to 180 days) permitted during phase-in. C3PAO assessment required by Nov 10, 2026 for Phase 2 contracts. |
SPRS Requirements: What You Must Have on Record
The Supplier Performance Risk System (SPRS) is the DoD’s centralized repository for contractor compliance records. Under the DFARS rule, SPRS is the official system of record for CMMC status. Contracting officers verify compliance here before awarding contracts. Consequently, what is in SPRS defines your eligibility for DoD contract award.
CMMC UID Registration and Assessment Posting
Every contractor subject to CMMC requirements must obtain a CMMC Unique Identifier (UID) through the CyberAB marketplace and ensure it is current in SPRS. Additionally, contractors must post their assessment results (self-assessment score for Level 1, or C3PAO assessment results for Level 2) and update those records whenever the compliance posture changes.
Specifically, annual affirmations of compliance are required throughout the contract lifecycle. These affirmations confirm that your organization’s security posture continues to meet the requirements of your CMMC level. The SPRS portal is where all of these records are entered and maintained.
Subcontractor Verification Obligations for Primes
Prime contractors carry responsibility for their subcontractors’ CMMC compliance. Specifically, when a subcontractor handles FCI or CUI under a covered contract, the prime must verify that the subcontractor holds the appropriate CMMC status in SPRS. This is not a passive pass-through obligation. Primes must actively collect and document evidence of subcontractor compliance.
Furthermore, this obligation extends to any tier of subcontracting where covered information flows. If your subcontractor uses a second-tier subcontractor who handles CUI, that second-tier subcontractor also falls under the flow-down requirement. Consequently, prime contractors should map their CUI data flows through the supply chain and verify compliance at each tier.
What This Means Now: Practical Next Steps for Contractors
The rule is in effect, and requirements are actively appearing in solicitations. Here is how to prioritize your compliance effort based on where you are today.
If You Handle CUI (Level 2 Applies)
First, verify your current SPRS score and CMMC UID status. If you have not completed a formal gap assessment against all 110 NIST SP 800-171 controls, that is the immediate next step. Your gap assessment output (the POA&M) is what drives your remediation roadmap. Second, if you plan to pursue a C3PAO assessment before the November 10, 2026 deadline, contact C3PAOs now. Most are booking 6 to 12 months in advance. Third, engage an implementation partner rather than an advisory-only RPO. Organizations that receive a POA&M without engineering support to execute it are the ones failing C3PAO Phase 1 readiness evaluations.
Tego’s integrated VAR-RPO model covers all four phases of CMMC implementation: gap assessment, technical remediation, procurement of compliant tools, and pre-assessment audit. Learn more about how the VAR-RPO model works.
If You Handle FCI Only (Level 1 Applies)
Level 1 requires basic cyber hygiene practices and annual self-attestation. Specifically, you must complete your self-assessment against the 17 Level 1 practices, post your score in SPRS, and affirm compliance annually. Additionally, ensure that your CMMC UID is registered and up to date. Level 1 requires a Final CMMC status in SPRS for contract eligibility, not a Conditional status.
That said, many organizations handling only FCI today will encounter CUI as their DoD contracts expand. Therefore, it is worth conducting a data flow review now to confirm whether CUI is actually present in your environment, particularly in email, shared drives, and collaboration tools.
For Prime Contractors Managing Subcontractor Compliance
Build your subcontractor verification process now, before it becomes a contract performance issue. Specifically, identify every subcontractor that touches FCI or CUI under your DoD contracts, request their SPRS records and CMMC UIDs, and document the verification in your compliance files. Furthermore, include CMMC flow-down clauses in your subcontract agreements and require subcontractors to notify you of any changes to their CMMC status.
For organizations managing complex cloud and infrastructure environments under CMMC, Tego’s cloud enclave guidance for CMMC compliance addresses how to scope and protect CUI-handling systems in hybrid environments.
Frequently Asked Questions: DFARS and CMMC Compliance in 2026
Understanding the Rule
The DFARS final rule (Federal Register document 2025-17359) formally incorporated CMMC compliance requirements into DoD contract clauses. It was published on September 10, 2025, and became effective on November 9, 2025. The rule makes CMMC compliance a binding contractual obligation rather than an advisory requirement and establishes a three-year phased approach to expanding CMMC requirements across the DoD contract base.
These are two separate timelines. The DFARS phase-in is a three-year period during which CMMC requirements are introduced into designated contracts and gradually expand to cover all applicable DoD contracts. The CMMC Phase 2 deadline, November 10, 2026, is a specific milestone within the CMMC program that requires Level 2 contractors to obtain formal third-party C3PAO assessments rather than relying on self-attestation. Importantly, both timelines are active simultaneously and affect the same contractors. Consequently, organizations must plan for both rather than treating them as sequential events.
A Final CMMC status means your organization has completed all requirements for your level, including a C3PAO assessment for Level 2. A Conditional status is a temporary designation granted when a contractor has not yet met all requirements but has an approved POA&M with a timeline for full compliance. The DFARS rule allows Conditional status for Levels 2 and 3 during the phase-in period, for up to 180 days. However, Level 1 requires a Final status to be eligible for the contract. There is no Conditional option at Level 1.
Compliance Actions and Timelines
Look for CMMC-related DFARS clauses in your solicitations and contract documents. Additionally, review whether your systems handle FCI or CUI. If your contract involves delivering services or products to the DoD and your systems access, process, store, or transmit any government information, CMMC requirements likely apply. Your contracting officer can confirm whether a specific solicitation includes the CMMC clause. However, waiting for the contracting officer to flag it is not a reliable compliance strategy. Instead, proactively audit your current contracts and incoming solicitations against the CMMC clause criteria.
Consequences and Timeline Realities
For covered contracts, inability to demonstrate the required CMMC status in SPRS results in ineligibility for contract award. For existing contracts that add CMMC requirements through modification, noncompliance can constitute a breach of contract. Specifically, the November 10, 2026 Phase 2 deadline means Level 2 contractors who have not completed a C3PAO assessment will be unable to compete on new Phase 2-covered contracts after that date. Therefore, the practical consequence is exclusion from the DoD contract market. In other words, noncompliance is not a fine or a warning; it is a loss of contract eligibility.
Most organizations require 12 or more months to reach genuine audit readiness for CMMC Level 2, depending on their starting posture and the complexity of their CUI environment. Adding C3PAO booking lead time of 6 to 12 months, organizations beginning today should plan for 18 to 24 months from start to certified. Consequently, contractors who have not yet started a structured implementation program are already working against the November 2026 Phase 2 deadline. Furthermore, starting with an integrated advisory and implementation partner compresses that timeline by reducing costly remediation rework.
Start Your CMMC Compliance Assessment Today
The DFARS rule is in effect, and the November 10, 2026 Phase 2 deadline is five months away. Organizations that act now retain the most options. Those that delay are increasingly dependent on a C3PAO availability window that is narrowing rapidly.
Tego Data Systems helps North Carolina defense contractors and federal suppliers navigate CMMC compliance from gap assessment through C3PAO readiness. As a Registered Provider Organization with VAR procurement capabilities, Tego provides the full implementation stack, not just advisory guidance.
Schedule Your CMMC Compliance Assessment
Resources and Primary Sources
DFARS Final Rule (Federal Register 2025-17359): https://public-inspection.federalregister.gov/2025-17359.pdf
DoD CMMC Program Overview: https://dodcio.defense.gov/CMMC/
SPRS (Supplier Performance Risk System): https://www.sprs.csd.disa.mil/
CyberAB RPO and C3PAO Directory: https://cyberab.org/
NIST SP 800-171 Rev. 3: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/final
DFARS Regulations (acquisition.gov): https://www.acquisition.gov/dfars